程序代做CS代考 SQL scheme javascript dns database chain Java cache Popa & 2016

Popa & 2016
CS 161 Computer Security
Final Exam
Print your name: , (last)
(first)
I am aware of the Berkeley Campus Code of Student Conduct and acknowledge that any academic misconduct on this exam will lead to a “F”-grade for the course and that the misconduct will be reported to the Center for Student Conduct.
Sign your name:
Print your class account login: cs161-
Name of the person sitting to your left:
and SID:
Name of the person sitting to your right:
You may consult four single-sided sheets of notes (or two double-sided sheets). You may not consult other notes, textbooks, etc. Calculators, computers, and other electronic devices are not permitted. Please write your answers in the spaces provided in the test. We will not grade anything on the back of an exam page unless we are clearly told on the front of the page to look there.
You have 180 minutes. There are 11 questions, of varying credit (200 points total). The questions are of varying difficulty, so avoid spending too long on any one question.
Do not turn this page until your instructor tells you to do so.
“Ransomware is the greatest thing to ever happen to computer security, all thanks to anar- chist crypto nerds who wanted magic internet money.” -Securi 1 of 22

Problem 1 True or false (46 points) Circle True or False. Do not justify your answer.
(a) True or False: The same origin policy allows https://www.amazon.com to access the resources of http://www.amazon.com.
Solution: False – the protocol is different.
(b) True or False: Framebusting is a defense against cookie tracking. Solution: False – framebusting is a defense against clickjacking attacks.
(c) True or False: The httpOnly flag of a cookie mitigates XSS attacks because it ensures the browser sends the cookie only over https.
False – it ensures the cookie is not accessed by JS, but it can be sent over http too.
(d) True or False: Javascript running on the outer frame of a website can always access the resources of an inner frame in the page.
False – if they are different origins, they cannot access each other.
(e) True or False: Two Javascript scripts embedded in pages running in two different tabs on a user’s browser can never access the resources of each other.
False – if they are the same origin, they can access each other.
(f) True or False: All CA-s in your browser need to be trustworthy in order to be protected via TLS (assume no certificate pinning).
Solution: True
(g) True or False: If you obtained the long-term private key of a party in a TLS connection, you can decrypt past TLS connections if the server uses DHE for the key exchange.
Solution: False; DHE does provide forward security.
(h) True or False: TLS does not hide who the communicating parties are from an observer.
Solution: True
(i) True or False: AES-ECB mode (encrypting each block separately with the block cipher and the same IV) is IND-CPA.
Final Exam Page 2 of 22 CS 161 – Fa 16

Solution: False; attacker can tell if two blocks are the same.
(j) True or False: Cryptographic hash functions do not have any collisions.
Solution: False – collisions exist, it is just difficult to find them.
(k) True or False: User chosen passwords are good seed values for a PRG.
Solution: False – user defined passwords have low entropy
(l) True or False: A website that rejects all user input that contains
or
Solution: x’; DROP TREATS; –
Solution: Use Parametrized SQL statements, or escape, or sanitize inputs.
Solution: Reflected XSS, although just XSS is acceptable
Final Exam
Page 11 of 22 CS 161 – Fa 16

http://www.tastytreats.com/search.html?term=, a user viewing the post in script mode would see the alert, whereas a user not browsing in script mode would see sanitized output.
(a) Their initial release of the feature has users enter script-mode by navigating to https://facepalm.com/script-mode, whereas normal browsing navigates to https: //facepalm.com/no-script-mode. They quickly notice scripts popping up to steal the cookies of users who enter script-mode. How could they change the cookies they set for users such that attackers would not be able to steal cookies? Answer in one sentence.
(b) After implementing this change, attack-scripts no longer steal cookies, but they quickly notice scripts popping up that send users’ private information (i.e. birthday, apps visited, etc.) over to https://evil.com. The FacePalm admins decide that users browsing in script-mode should not be allowed to view their own private con- tent. They decide to switch the URLs that users browse to: now to browse in script- mode, users visit https://script-mode.facepalm.com, whereas for normal brows- ing, users now visit https://no-script-mode.facepalm.com, and to view private content, users visit https://no-script-mode.facepalm.com/private. Why can attackers no longer steal private information?
Solution:
Set the HTTPOnly Flag in cookies to prevent them from being accessed by scripts.
Solution:
Attackers can’t steal private information anymore by the same origin policy. Since the script-mode domain is different from the domain for requesting private content, responses to requests for https://no-script-mode.facepalm.com/ private are blocked by the browser.
(c) After the change in part b, FacePalm notices scripts that force users to post annoy- ing copypasta. After seeing “I am still getting ya” posted for the fifteenth time, the FacePalm admins decide to put an end to it, so they restrict post-content requests to no-script-mode domains (i.e. users must request https://no-script-mode. facepalm.com/post in order to post content, and there is no script-mode equiv- alent endpoint). However, they notice that benign users still end up posting an- noying messages to https://no-script-mode.facepalm.com/post. What type of vulnerability is FacePalm likely facing here, and how could they solve this issue?
Final Exam Page 15 of 22 CS 161 – Fa 16

Solution:
FacePalm is facing a CSRF vulnerability. They can solve it by using random tokens.
Final Exam Page 16 of 22 CS 161 – Fa 16

Problem 8 Diagnosing Heartbleed (19 points) OpenSSL, a popular open-source implementation of TLS, was recently attacked by ex- ploiting a vulnerability in its handling of heartbeat messages, which is now known as the Hearbleed vulnerability.
Someone decided that TLS should support its own “heartbeat” messages to maintain long term connections (in addition to TCP’s keepalives) and that these heartbeat mes- sages should contain arbitrary content sent by the client and echoed back by the server.
The relevant, simplified implementation is as follows:
typedef struct {
/* length of heartbeat message from client. This field is set by the server. */
uint32_t length;
/* contents of the heartbeat message. This is controlled by the malicious client. */
uint8_t *data; } SSL3_RECORD;
uint8_t *processHeartbeat(SSL3_RECORD *r) {
/* message type e.g. HEARTBEAT; this field set by client */
uint8_t type = *((uint8_t *) &r->data[0]);
/* length of data; this field set by client */
uint16_t len = *((uint16_t *) &r->data[1]);
uint8_t *buf = malloc(len + 3);
/* type of response */
*((uint8_t *) &buf[0]) = HEARTBEAT_RESPONSE;
/* response length equals client’s message length */ *((uint16_t *) &buf[1]) = len;
/* copy the client’s message verbatim */
memcpy(buf + 3, r->data, len);
/* return the message to be sent to the client */
return buf; }
Figure 1: Vulnerable Procedure
Observe that the SSL3 RECORD contains a pointer to data sent by the malicious client. The server populates the length field of SSL3 RECORD with the length of the data actually sent by the client. The data sent by the client itself contains the encoded message itself, with the first byte always specifying the type of message. For Heartbeat messages the type specifies that it is a heartbeat message, the next two bytes specify the length the client expects back, and the remaining bytes are the nonce the client sends.
(a) A vulnerability here makes the program leak large parts of its memory upon process- ing a heartbeat message. This is catastrophic as the memory may potentially have cryptographic keys, session cookies from other users, and other secrets. Describe the vulnerability and construct the exploit heartbeat message.
Solution: Adversary lies about the length of the message in the heartbeat request.
msg[0] = HEARTBEAT, msg[1..2] = 65535, msg[3] = ’x’
Final Exam Page 17 of 22 CS 161 – Fa 16

(b) What is the approximate maximum memory (in kilobytes) can the attacker read using one malicious heartbeat message?
(c) Would the use of stack canaries prevent this attack? Why?
(d) Would the use of DEP prevent this attack? Why?
(e) Would the use of ASLR prevent this attack? Why?
(f) Would the use of memory safe programming language prevent this attack? Why?
(g) Suggest a modification to the code that fixes this vulnerability while keeping the intended functionality of heartbeats.
Solution: 64KB
Solution: No. Stack canaries prevent overriding the memory on stack, not reading outside of the bounds.
Solution: No. DEP prevent code execution but this doesn’t rely on executing code.
Solution: No. ASLR makes it harder to execute attacker’s code once memory is overriden, but not reading outside of the bounds which is happening here.
Solution: Yes. A memory safe programming language would detect out of bounds read of the nonce pointer.
Solution: Check len + 3 ≤ r→length before memcpy.
Final Exam Page 18 of 22 CS 161 – Fa 16

Problem 9 Secure Broadcast (12 points) Consider a server s that wishes to broadcast messages to clients c1,...,cn. We define secure broadcast to be a protocol where each client is guaranteed to recieve messages that are generated by the server, i.e. we want to ensure that a client can indeed verify that the message comes from the server and from no one else.
(a) Consider a design where s shares the same symmetric key with all the clients (using an out-of-bound secure channel). s attaches a MAC, computed using the symmatric key, to each message sent to the clients. Does this scheme guarantee integrity and authenticity? Explain why or why not.
(b) Consider a design where s shares a unique random key with each client (using a secure out of bound channel) and then MACs all messages using this unique key. Does this scheme guarantee authenticity? (Ignore replay attacks here.)
(c) Consider a client is unhappy about the message it gets from the server and would like to convince a judge that s sent to him such a terrible message. Can the client convince the judge by showing the message and the MAC? If yes, explain why. If not, propose a fix.
Solution: No. Any client could have also generated the message.
Solution: Yes, because each client should have a unique key
Solution: NO, the client could have sent this message himself. Instead the server should sign the message.
Final Exam Page 19 of 22 CS 161 – Fa 16

Problem 10 Hunting block cipher chaining modes (12 points) Unexcited about the block cipher chaining modes Alice learned in CS 161, especially CBC and CTR, she decides to create her own that also provides IND-CPA security. Let B be a block cipher and denote by Bk(p) the block cipher applied to plaintext p with key k. Alice has come up with the block cipher chaining modes below and she needs your help to decide if they are IND-CPA or not. For each scheme below, say whether it is IND-CPA or not. If it is not IND-CPA, additionally give a concrete example of an information the attacker learns about the plaintext from the ciphertext in this encryption scheme that he/she would not be able to learn from an IND-CPA-secure scheme.
Consider the plaintext P = (P1, P2, . . . , Pl) where each Pi has size the block size of B. Let ⊕ be bitwise XOR.
(a) Enck(P)=(C1,...,Cl),whereCi =Bk(i⊕Pi).
(b) Enck(P) = (IV1,C1,...,IVl,Cl), where Ci = Bk(IVi ⊕ Pi), where each IVi is generated randomly and independently of the other IVs.
(c) Let IV = hash(P), where hash is a cryptographic hash function (in particular, it is collision resistant). Assume the hash of P fits exactly in the IV size. Let C0 = IV . Enck(P)=(IV,C1,...,Cl),whereCi =Bk(Ci−1 ⊕Pi).
Solution: Not IND-CPA. This scheme is deterministic to begin with so the attacker can tell if two encrypted plaintexts are equal. Moreover, the attacker can tell if two different ciphertexts have equal blocks in the same position.
Solution: This is IND-CPA.
Solution: Not IND-CPA. This scheme is also deterministic so the attacker can tell if two encrypted plaintexts are equal.
Final Exam Page 20 of 22 CS 161 – Fa 16

Problem 11 Sessions with localStorage (15 points) Browsers support a feature called localStorage, which allows a website to save and load data on the user’s computer. The storage is a key-value database, which can be accessed by JavaScript code on a webpage. Data that is saved by one page can be accessed by any other page that comes from the same origin. Unlike cookies, data in localStorage is not automatically sent with any HTTP requests.
Consider building a website using localStorage to implement a session management system.
(a) Suppose the server receives an HTTP request containing correct credentials that authenticate a user. The server generates a random session token to be stored in the browser. However, the server doesn’t have direct access to localStorage.
Describe an HTTP response that the server can send in order to get the session token stored. You can either provide the code snippet or describe what the code should do.
(b) Next, the user loads a page with a form for executing an action while logged in. The page always has the exact same URL and HTML code, regardless of which user is logged in (this helps with caching performance).
Describe what could be included in the page to ensure that a form submission to the site’s server will include the user’s session token, as well as how the server would receive the session token. You don’t have to write actual code; assume that JavaScript code is capable of:
• Running when the page loads
• Running just before the browser submits a form
• Saving and loading data in localStorage
• Inspecting and modifying the contents of the webpage as it is interpreted by the browser (this is called the DOM or Document Object Model).
(c) Consider how an XSS vulnerability would affect the security of this session manage- ment system, compared to a session management system that stores a session token in a cookie. Could an attacker exploit an XSS vulnerability to steal the session
Solution: Send an HTML page with a